From Vtech kiddie to professional security expert - The self taught way.
Sure, we've had a commodore at home, but my first real steps in self teaching computer language was on the toy computer that belonged to my sister. Along the games, it has some very minimal Qbasic shell to program small tasks. I've spend hours doing input/output examples, showing off my skills to my parents at that time. Soon enough, i've ran out of options after having used and combined all techniques in the /help menu.
Like a perfectly timed coincidence my parants managed to get a brand new Pentium 90Mhz, 8Mb (yes, MB not Gb!) Windows 3.1 desktop costing a small fortune at that time. Remember, internet still didn't existed back then for the general public. Out with the Vtech, in with MS-DOS and full blown Qbasic !
Line after line, my programs started to become more evolved and complex. With every issue i've encountered (yes, no google to grab some examples), i'd only became more passionate to solve the issue.
As the years and technology evolved in a rapid paste, it was a real struggle to keep up with the new technology and programming languages. While i was still playing around in Basic, Visual basic stood out. When i started to master Visual Basic, .NET came out, and so on.
I've had the urge of mastering every single command that could be found in the syntaxis help menu before switching to another language.
By now, i have a perfect knowledge of the following languages, all self taught over the last 20 years of my life
- Visual Basic / VB.net
- C / C++
- Batch / Shell
- All major web programming languages/platforms
Those are the languages that i truly master, without the help of the allmighty Google. Most of any programming language is just a dialect derived from these, so in general, i could work with any language.
Did i mentioned that i rarely use any kind of IDE? My workspace is mainly Notepad++. Yup, that's oldskool!
Mastering my skills for fun and profit and taking the biggest loss of my life.
The upside of self taught coding is knowing the flaws and weaknesses of code. When running penetration tests it's sad to conclude that the majority is blindly using third party packages, or using code they've found on Google somewhere.
Using Google found code for authentication systems is like a Google self-diagnosis when you're ill.
While there are solid, trusted, open source platforms available that will do most of the heavy lifting for you, never use it without understanding every single line of code when it comes to sensitive data, and all data related to any customer should be considered sensitive!
Around the age of 16, i've created my first full blown application for a middle size company to keep track of their supplies, staff, working time, bills, inventory, you name it, my program did it. Around 27.000 lines of code written from scratch and uncountable hours in front of my screen, almost 18h per day for about 3 months straight.
I've been skipping school just to finish up this application, believing it would make me a rich man and my future would be bright. I've dreamt about my own big building with my name plate on it, sitting next to Bill Gates drinking coffee.
Every problem i faced was just a challenge to see how much i wanted to reach my goal!
What happened then really blew up in my face. The company was very excited about my application, so they offered me a good deal (at that moment, from a poor 16yr old kid point of view).
I got payed 2500€ for the application (jackpot!!) and an additional 500€ for handing over the rights on my application on a legal ownership agreement. Jackpot again! 500€ just for that? Count me in!
There i am, 16 years old with 3000€ in my pocket. But why did they wanted the ownership over my application anyway? It's just stupid lines of code, why on earth would someone pay me 500€ extra?
Well it turns out the company commercialized my application using a license system. They've sold over 450.000 licenses in the past 15 years at 900€/year and it's still selling today in a more polished, up to date GUI version.
That could've been my income! There goes my dream of getting rich doing what i like most in life.
400.000.000€ yearly revenue. How could i've not seen this happening when they offered me 500€ extra?
I'll beat them at their own game - From outraged to security expert.
I've had a main advantage over the company's IT departement, that's the fact i've written the code from scratch. Even tough i've spend an excessive amount of time on security, code will never be 100% failure proof.
Around the time their userbase passed the 100k customers, i've send them a highly detailed security report pointing out all flaws their application suffered.
When the inital transfer of the application was done, i was supposed to do the maintenance of this application and patch up the 'small flaws' still present at the time of delivery since their priority was a working application first, patching small issues later. But with transferring the ownership, this part of the agreement was no longer needed in their eyes - So don't think i deliberately implented some bugs when reading this.
This time i've outsmarted them at their own game. I've had one condition to fix all the bugs that mainly came from their IT departement putting their own code on top of mine instead of altering the source.
"You'll send a mail with my name and contact details to every customer when notifing them for a downtime due to security maintenance."
Sure enough, after a couple of weeks, the first customer sent me an email regarding a security audit.
The game is on again!
This is part 1 of my article. I'll continue part 2 tomorrow as i don't have the time to keep writing for hours :)
Make sure to follow me to read the rest of my success story!
By the way, can i get an 'amen' from you all in memory of my dog?
He's the reason i start blogging to fill the empty gap when entering at home.